HIPAA

Office of HIPAA Compliance
For questions or concerns please contact CSC at 1-800-688-6696

In accordance with 45 CFR Part 162 – Health Insurance Reform; Modifications to the Health Insurance Portability and Accountability Act (HIPAA); Final Rule, HIPAA-covered entities, which include state Medicaid agencies, must adopt modifications to the HIPAA required standard transactions by January 1, 2012. The modifications are to the HIPAA named transactions to adopt and implement ASC X12 version 5010 and NCPDP Telecommunication version D.0. HIPAA is the federal law that introduced standards for the electronic exchange of information between health care plans (payers), clearinghouses, and providers.

Transactions, as defined under HIPAA, are electronic communications between covered entities. Standards for electronic transactions and their applicable code sets were adopted and made effective on October 16, 2000, and all covered entities were required to comply with these standards by October 16, 2002.

Health plans (payers) and those providers who conduct transactions electronically are defined as covered entities.

Providers who submit transactions through a clearinghouse or vendor should contact their clearinghouse or vendor to ensure proper measures are being taken for HIPAA compliance.

HIPAA also introduced regulations to protect patient rights and to guard against the misuse or disclosure of their health records.

The privacy rule establishes accountability and responsibility for the use or disclosure of any protected health information (PHI) for the purposes of treatment, payment or health care operations. This includes all medical records and health information used or disclosed in any form, whether electronic, written or oral.

The HIPAA Privacy Rule (45 CFR 164.502 and .508) as well as the Federal Social Security Act 1902(a)27, 45 CFR 431.107, and the N.C. Medicaid provider enrollment agreements all allow providers to share information with the Division of Medical Assistance or its agents without additional patient authorization. This includes information needed for payment of claims as well as additional information that may be requested for audits, investigations, and civil, criminal or administrative proceedings.

The privacy rule does require the disclosure must be limited to the minimum amount of information that is necessary to accomplish the intended purpose. The complete medical record should not be sent to the Division of Medical Assistance or its agents unless it is specifically requested.

For ASC X12 5010 transaction submissions you must complete a Trading Partner Agreement (TPA). For more information contact CSC at 1-800-688-6696.

A TPA is required for entities that are directly exchanging electronic data with N.C. Medicaid.

Defined in 45 CFR 160.163 of the transaction and code set rule, a TPA is a contract between parties who have chosen to exchange information electronically. The TPA stipulates the general terms and conditions by which the partners agree to exchange information electronically. The document defines participant roles, communication, privacy and security requirements, and identifies the electronic documents to be exchanged. TPAs are used by all entities that wish to establish an electronic relationship with the N.C. Medicaid program. TPAs must be on file prior to testing electronic transactions with N.C. Medicaid.

Note: Providers who contract with billing services or clearinghouses will not establish a TPA directly with N.C. Medicaid.

Providers must use reasonable safeguards when faxing or mailing items containing Protected Health Information (PHI) as defined under HIPAA. The U.S. Office of Civil Rights (OCR) offers this guidance about faxing or mailing protected information.

E-mail

The security of unencrypted information sent by email cannot be guaranteed. If it is necessary to send patient-specific information to an employee of the Division of Medical Assistance, we advise you to use DMA’s ZIX Secure Email Message Center to send encrypted email messages to DMA staff members who have a ZixMail license (most do). Simply use the link below and click the “Register” button to create an account. Then you can sign in and send and receive encrypted ZixMail messages from the secure web portal.

From the first page of the Message Center you may sign in, reset your password, register, and receive detailed user Help information. This page also provides an email address for technical support regarding the message portal. Providers with their own ZixMail licenses may send ZixMails directly and do not need to use the Zix Secure Email Message Center.

Addressing Correspondence to the Division of Medical Assistance

To ensure that information is delivered to the intended staff, please address all correspondence to a specific person at the Division of Medical Assistance. If a person’s name is not known please, at a minimum, address the information to a specific Section. Otherwise, significant delays may occur in proper delivery of the information.

Mail sent through the US Postal Service should be addressed as follows: